search

novotnyllc / NuGetKeyVaultSignTool

Sign NuGet packages using certificates in Azure Key Vault
MIT License
35 stars 17 forks source link

Tool cannot sign wildcard paths #12

Closed timheuer closed 5 years ago

timheuer commented 5 years ago

For some reason when run within an Azure DevOps release task it is not working, erroring out on saying KeyVault URL not specified.

As you can see from the log it is specified (also tried -kvu) but still erroring on that step:

2019-05-02T18:02:54.3830516Z nugetkeyvaultsigntool sign D:\a\r1\a\_Alexa.NET-master\drop\*.nupkg -file-digest sha256 -timestamp-rfc3161 "http://timestamp.digicert.com" --timestamp-digest sha256 --azure-key-vault-url "REMOVED_FOR_THIS_ISSUE_POST" --azure-key-vault-client-id "***" --azure-key-vault-client-secret "***" --azure-key-vault-certificate "***"
2019-05-02T18:03:00.1332781Z fail: NuGetKeyVaultSignTool.Program[0]
2019-05-02T18:03:00.1333613Z       Key Vault URL not specified
clairernovotny commented 5 years ago

Looks like -file-digest is missing a dash up front --file-digest. Same with -timestamp-rfc3161, needs two dashes to use the long version. If you fix that, does it help?

timheuer commented 5 years ago

Weird, that same failure of leading '-' wasn't a problem locally...but I changed it and still failing in the task, but now the log shows me nothing...just runs with Waiting for console output from an agent... for about 1.5 minutes and then fails:

2019-05-02T20:14:50.1505601Z Unhandled Exception: System.AggregateException: One or more errors occurred. (Operation returned an invalid status code 'InternalServerError') ---> Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'InternalServerError'
2019-05-02T20:14:50.1507204Z    at Microsoft.Azure.KeyVault.KeyVaultClient.GetCertificateWithHttpMessagesAsync(String vaultBaseUrl, String certificateName, String certificateVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
2019-05-02T20:14:50.1507285Z    at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetCertificateAsync(IKeyVaultClient operations, String vaultBaseUrl, String certificateName, CancellationToken cancellationToken)
2019-05-02T20:14:50.1507397Z    at NuGetKeyVaultSignTool.SignCommand.SignAsync(String packagePath, String outputPath, String timestampUrl, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, SignatureType signatureType, Boolean overwrite, String keyVaultCertificateName, String keyVaultUrl, String keyVaultClientId, String keyVaultClientSecret, String keyVaultAccessToken) in D:\a\1\s\NuGetKeyVaultSignTool.Core\SignCommand.cs:line 66
2019-05-02T20:14:50.1507500Z    at NuGetKeyVaultSignTool.Program.<>c__DisplayClass0_1.<<Main>b__3>d.MoveNext() in D:\a\1\s\NuGetKeyVaultSignTool\Program.cs:line 91
2019-05-02T20:14:50.1507722Z    --- End of inner exception stack trace ---
2019-05-02T20:14:50.1507784Z    at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
2019-05-02T20:14:50.1507855Z    at Microsoft.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args)
2019-05-02T20:14:50.1507912Z    at NuGetKeyVaultSignTool.Program.Main(String[] args) in D:\a\1\s\NuGetKeyVaultSignTool\Program.cs:line 155
2019-05-02T20:14:55.5888013Z ##[debug]Exit code: -532462766
2019-05-02T20:14:55.5929338Z ##[debug]Leaving Invoke-VstsTool.
2019-05-02T20:14:55.6456593Z ##[error]Cmd.exe exited with code '-532462766'.
clairernovotny commented 5 years ago

It could definitely use a better error message, but does the service principal have the right ACL in Key Vault?

It needs certificate get and key get & sign.

timheuer commented 5 years ago

Yes, when run locally:

info: NuGetKeyVaultSignTool.Program[0]
      SignAsync [Alexa.NET.1.6.1.nupkg]: Begin Signing Alexa.NET\bin\Debug\Alexa.NET.1.6.1.nupkg
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Creating Primary signature
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Primary signature completed
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Timestamp primary signature
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Timestamp completed
info: NuGetKeyVaultSignTool.Program[0]
      SignAsync [Alexa.NET.1.6.1.nupkg]: End Signing Alexa.NET\bin\Debug\Alexa.NET.1.6.1.nupkg
clairernovotny commented 5 years ago

That's very odd.... could it be a long shot that something underlying the current azure outage is interfering?

timheuer commented 5 years ago

I've been trying for all morning, but I'll wait to make sure :-)

clairernovotny commented 5 years ago

I'm a bit at a loss why it'd work locally and not via a pipeline. Might need to rope in an expert or two :)

timheuer commented 5 years ago

Hmm, looks like the core issue is that your tool cannot execute a sign command on *.pkg path (like the nuget sign command can)

clairernovotny commented 5 years ago

Ah, that'd do it. I was avoiding the "hard work" of path expansion. If you know of an easy way to handle those expansions, I can incorporate that.

timheuer commented 5 years ago

@onovotny here is the code that NuGet uses to resolve wildcards: https://github.com/NuGet/NuGet.Client/blob/524ec33d792d0972b8999cda0c1e297b6e23e9b4/src/NuGet.Core/NuGet.Protocol/Utility/LocalFolderUtility.cs

ex: https://github.com/NuGet/NuGet.Client/blob/524ec33d79/src/NuGet.Core/NuGet.Commands/SignCommand/SignCommandRunner.cs#L25